Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've just began using Linux RH 9 which has iptables for firewall. The current set of rules was generated by LOKKIT up to medium-level security. This means roughly ports up to 1024 blocked.
I'd like to give my other machine full access through internet (tcp, udp, icmp) and think this would be taken care off by adding a line or two to /sbin/sysconfig/iptables. Would also be nice to use a DNS instead of ip so updating isn't necessary.
What kind of commands should be used and does it matter in what order they are placed?
Before giving you a portion of a firewall script, I would like to know your network configuration.
First, from reading your post I assume the firewall box is connected to the Internet. Then I assume the other machine is on a LAN behind the firewall, and you would like the firewall to "share" Internet access with the other machine.
Is this true?
Second, your firewall will need two network cards, one connected to the Internet, the other to the LAN containing the other machine (this could even be a crossover cable directly connecting the two computers if you have no hub or switch.
Do you have two network cards in the firewall?
Once we settle the network questions above, I can tell you how to do this. I can even supply you with a firewall script. However, after examining lokkit, I see that it has no provision for enabling Internet sharing. My approach is to not use the iptables service at all, but to write my own rules that activate when my firewall boots up.
Also, what do you mean when you say you want to use DNS instread of ip? Do you mean DCHP? If so, I can tell you have to set up a DHCP server.
Let me know the answers to my questions and I'll get back to you. If you are new to Linux, these tasks can seem intimidating, but after you see how they are done it will make sense.
>First, from reading your post I assume the firewall box is connected to the >Internet. Then I assume the other machine is on a LAN behind the firewall, >and you would like the firewall to "share" Internet access with the other >machine.
My linux PC (I'll call it $A) is not firewalling a home LAN. It's firewall is only for securing it self. It's connected to the internet though. By the other PC ($B), I mean any PC that should get free access to $A through internet.
>Also, what do you mean when you say you want to use DNS instread of >ip? Do you mean DCHP? If so, I can tell you have to set up a DHCP server.
Oh my bad I meant to use www.mydomain.org instead of the exact IP in the iptable -rules.
After reading what tutorials I could find, it seemed like this can be done quite simply by adding lines to the iptables -ruleset like this:
In this case I'd like to accept all traffic from and to that "some ip" and infact use a domain name instead. But since I've never done it, I don't really trust I got it right.
If you want to access computer $A from computer $B over the Internet I recommend using secure shell (ssh) and only opening that port. I would not use rules like you have written that open so many ports.
"-I" means this rule concerns incoming packets and that the line is inserted to the beginning of the rule-set, because later more restrictive rules might conflict it.
"-p" protocol
"-s" source address, can be replaced by hostname (but then more vague, less secure)
"-dport" destination port on your machine
"-j" if packet matches this rule, accept it
Generally if you leave out definitions, the rule becomes more sloppy in what it allows.
As viz recommended, this is probably not the safest way to go but it gets the job done incase your in a hurry to allow specific connections.
Hopefully some one corrects me, if I still didn't get this right
This is correct. There are other points worth noting.
1. Instead of the port number, you can put the name of the service if it is listed in /etc/services. In this case, the number "80" in the example becomes http.
2. If you list a service name or port with the --dport flag, the -p flag along with the protocol type is required. In other words, in order to gain access to the --dport flag, you must first indicate the protocol.
You may already know this, but I figured if you were new to iptables it might be worth mentioning.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.